Container as Access Control List
This content is no longer actively maintained. It is provided as is, for anyone who may still be using these technologies, with no warranties or claims of accuracy with regard to the most recent product version or service release.
With the enhanced presence model, users can publish personal information such as home telephone numbers and addresses. Taking advantage of the ability to publish custom presence information gives a user the ability to publish other sensitive information. When a local user logs on to Unified Communications Server, that user is visible to any remote user who searches for the local user's display name or e-mail address. Without the ability to restrict access to the local user's presence information, the local user would expose all published presence information to any remote user without the access control list (ACL). The ACL provides rules that Office Communications Server observes when provisioning remote clients with contact presence information. Only a remote user who is authenticated can receive presence information, and the information received is restricted according to the ACL rules.
Container
A container is an example of a strongly typed category instance. The refined type definition of the container allows it to contain different types of strongly typed category instances. A container provides access control for the associated category instances. In addition to associated category instances, a container has a list of members, each with an associated access scope property. If a subscribing user can be matched to a container member by scope, the subscribing user receives the category instances found in the parent container.
Using this mechanism, you control the level of access that a subscribing user has to the self-presence information you publish.
Container Members
A container has a collection of IUccContainerMember objects. The container member interface represents a remote subscribing user. The IUccContainerMember interface exposes several properties useful in managing subscribing users:
- Containers. This property provides a list of containers in which this member has membership.
- Scope. The Scope property returns an enumerated value indicating the access scope of the member. For possible scope values, see UCC_CONTAINER_MEMBERSHIP_SCOPE.
- Uri. The SIP Uri of the container member.
Having container membership implies that the subscribing user is granted access to the category instances published to the container by the local user. If a subscribing user is a member of multiple containers, the remote user receives category instances from the container with the highest ID. For example, if Jay Adams of contoso.com is a member of the local user's container 400 and container 32000, Jay receives the categories published to container 32000. In this case, the practical effect of Jay's membership in container 32000 is to block his access to the local user's presence.
The container interface exposes methods to add, remove, and get members of a specified access scope. To add or remove a container member, the local user must cache the container category instances provisioned on the client at logon time. The cached container of interest is updated with a call to the appropriate container method. When the members of interest are added or removed, a publishable instance of the container is created and added to a publication object. When the container is published, Office Communications Server applies the new container membership list to all subscribing users.
Container Categories
In addition to a list of subscribing user members, the container must have a list of category instances to which the container members are granted access. By default, Office Communications Server provisions well-known containers with well-known category instances. An application can selectively remove category instances from a container or create new custom category instances and associate them to existing containers. A category is associated to a container by setting its ContainerId property to the value of the container's Id property. When a new custom container is created and published, it must contain both members and category instances.
Category instances are associated to containers at the time the category is published. The publication manager interface exposes the CreatePublishableCategoryInstance method. The third argument of this method is an integer representing the instance Id to be associated with the new container instance. The instance Id assigned to the new category is the Id of the container when the category is cast to the IUccContainer interface.
Access Scope
Access scope is defined in UCC_CONTAINER_MEMBERSHIP_SCOPE. Any user within the specified access scope is granted the access to the contained category instances. The URI property is ignored unless the scope is UCC_CONTAINER_MEMBERSHIP_SCOPE.UCCCMS_USER or UCC_CONTAINER_MEMBERSHIP_SCOPE.UCCCMS_DOMAIN.
Membership scope is composed of the following access levels:
- User: Comprised of the single user identified by SIP:URI.
- Domain: Comprises users whose URI is in the same domain.
- Company: Comprises users in the same organization behind a common firewall.
- Federated Enterprise: Comprises users across domains but in the same federation and enterprise.
- Federated Public: Comprises users across domains but in the same federation regardless of enterprise membership. This membership scope includes Public Internet Cloud (PIC) users of services like APL, MSN, and Yahoo.
- Everyone: Comprises all users in all domains.
Access Control List Containers
Office Communications Server creates these reserved containers to provide access control functionality.
Container ID | Description |
---|---|
100 |
Public, Federated subscribers |
200 |
Workplace subscribers |
300 |
Team member subscribers |
400 |
Personal subscribers |
32000 |
Blocked subscribers |
Example
The following illustration shows the concept of container as an ACL with two common containers that provide ACL functionality. In this instance, the publishing user has created three category context objects:
- Notes
- Calendar Data
- Telephone numbers
The local user has published all three of these categories to a Personal container (ID 400) and the Notes category to a Workplace container (ID 200).
Note
Publishing a category to a container involves setting the ContainerID property of the publishable category instance to the desired container ID. Categories are not added directly to a container as subscribing user are. A subscribing user is added directly to a container using the AddMember method of IUccContainer.
The four subscribing entities (subscriber 1 through 3 and contoso.com) are added to the containers as members. The user has placed the domain, contoso.com, and subscribers 1 and 2 in the Workplace container. By doing so, access to presence notes for these subscribers is provided.
The local user's Personal container has the Notes, Calendar Data, and Telephone numbers category. Subscribers 1 through 3, but not contoso.com, are added as well. The presence of the three subscribers in the Personal container means that the three subscribers can access Notes, Calendar Data, and Telephone numbers.
Access Control Entity Matching
An individual subscriber can be a member of multiple ACL containers concurrently. Jaya@contoso.com can be added to a container with the membership scope level of UCC_CONTAINER_MEMBERSHIP_SCOPE.UCCCMS_USER. In this container, the subscriber is represented by the IUccContainerMember interface. The Uri property is *jaya@contoso.com*. In another container, the same subscriber is represented as a container member with a Scope of UCC_CONTAINER_MEMBERSHIP_SCOPE.UCCCMS_DOMAIN. In this case, the Uri value is contoso.com.
In the situation where a subscriber exists in multiple containers, Office Communications Server must choose one of the containers to provide the subscriber with category instance. Office Communications Server determines the correct container for a subscribing user using "most accurate ACE" logic. For example, if the subscribing user SIP/URI is jaya@contoso.com and container 100 contains a member whose Uri is jaya@contoso.com, the subscribing user gets the categories in container 100. A less accurate ACE match is on the domain, contoso.com, in another container. The priority of ACE matching:
- User ACE
- Domain ACE
- Company
- Federated Public
- Federated Enterprise
- Everyone. This group includes the Public Internet Cloud (PIC) users represented by such clients as Yahoo and others.
Special Containers
Office Communications Server defines special containers for receiving published data.
Container ID | Description |
---|---|
0 |
A container with an exclusive access scope. |
1 |
Self-presence category data, which includes userProperties, alerts, rccOptions, userInformation, and calendarData. |
2 |
The server aggregates user, machine, phone and calendar states published to this container. The states are published to container 100, 200, or 400. |
3 |
The server aggregates presence states in this container and publishes the aggregated computer and user states to container 300. |
See Also
Concepts
Category Subscription
Category and Category Instances
Programming Patterns with Subscription
Granting Permissions to View Published Presence States
Manage ACL Container Membership